Artima: Microsoft Under Attack

Not by angry customers suing for damages after security breaches, or by governments breaking up monopolies, but by open source developers and security professionals accusing them of being obsessed by security.

The content goes on to chronicle a panel discussion moderated by the author “Should companies be emulating Microsoft’s Security Development Lifecycle?” at the OWASP Europe conference in Leuven.

Reading through the comments, one reader asks “Can you give an example of where a MS product has superceded a comparable open-source project in terms of security?”

I suppose that depends on your definition of security, but I took it to mean “software having less serious vulnerabilities for hackers to potentially exploit” and posted my own reply. The short answer is that there are more and more examples the longer that Microsoft applies SDL and other security programs while comparable open source projects claim that they don’t need to pursue similar security goals (due to “many eyes” or whatever reasons).

I think my previous posting on the Red Hat Workload Vulnerability Index is one good example of a (not-defined-by-Microsoft) metric comparing the results of differing development processes.

About the Author

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more &raquo